Ransomware: Coming to a robot near you soon?

A a proof-of-concept hack at the Kaspersky Security Analyst Summit showed how robots could be infected with ransomware.

During a surprise appearance at HBO’s Westworld panel at South by Southwest, Elon Musk again expressed his fear of artificial intelligence (AI).

“I’m really quite close, very close to the cutting edge in AI. It scares the hell out of me,” Musk said. “It’s capable of vastly more than almost anyone on Earth, and the rate of improvement is exponential.”

He added, “I think the danger of AI is much bigger than the danger of nuclear warheads by a lot. Nobody would suggest we allow the world to just build nuclear warheads if they want, that would be insane. And mark my words: AI is far more dangerous than nukes.”

Proof-of-concept hack shows ransomware attack on Softbank robots

Meanwhile, at the Kaspersky Security Analyst Summit, IOActive security researcher Lucas Apa showed off a different type of danger that could occur if robots the size of a child were to be hacked. Granted, it’s not like the cute little humanoid robots were hacked to act like a murderous Chucky doll, but a proof-of-concept hack showed the first-ever ransomware attack on robots.

Building on their previous research, which identified nearly 50 vulnerabilities in robots from various robot technology vendors (pdf), IOActive’s Cesar Cerrudoand Lucas Apa hacked the humanoid robot NAO, saying the same attack would work on Pepper because it uses the same operating system and has the same vulnerabilities. SoftBank Robotics has so far sold over 30,000 of these robots — 20,000 Pepper robots are currently being used in businesses, such as Sprint, and 10,000 NAO robots are being used as education and research tools.

“What we found was pretty astonishing: Ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets,” said Apa.

For the attack to work, the attacker wouldn’t need physical access to the robot. Instead, he or she would need to access to the same WI-FI network the robot is on. The robot might be connected to a retail store’s public internet. Another possibility, according to what Cerrudo told ZDNet, is that the “attack can come from a computer or other device that is connected to internet, so a computer gets hacked, and from there, the robot can be hacked, since it’s in the same network as the hacked computer.”

In the proof-of-concept attack, the researchers created and uploaded ransomware to the NAO robot model. The press release explained that “by injecting custom code into any behavior file classes, they altered the robot behaviors to be malicious. Possible malicious behavior on an infected robot includes complete interruptions in service, pornographic content on the robot display, the use of curse words, even doing violent movements. The infected robot could also be an entryway into other internal networks at a business, offering backdoor access to hackers and an entry point for layer penetration to steal sensitive data.”

In a blog titled, Robots Want Bitcoins too!, the researchers warned that “ransomware for robots is a real threat with potentially huge economicimplications for businesses — even more than regular ransomware.”

It can apparently take weeks to send one of the $10,000 robots back to SoftBank for repairs. “Businesses lose money every second robots are non-operational — whether through lost revenue, production and/or repair costs. Paying a ransom to quickly get the robots working again could be cheaper than the alternative.”

The blog post added, “In the special case of sex robots, where privacy and intimacy are a primary user concern, the lack of discretion when contacting technical support, arranging pickup and calling customer care, could incentivize users to pay a ransom for the return of a robot rather than dealing with the emotional fallout.”

IOActive told SoftBank Robotics about the security vulnerabilities they discovered in January 2017, but the company has not fixed the flaws.

SoftBank’s response to robot vulnerabilties

In response to the researchers’ latest discovery, SoftBank issued a statement about Pepper without mentioning NAO. Remember, however, that Pepper and NAO use the same operating system and share the same vulnerabilities. SoftBank said:

“When in use of Pepper, we ask to maintain the Wi-Fi network security, and also to set the robot passwords correctly. We will continue to improve our security measures on Pepper so we can counter any risks we may face.”

Although the “proof-of-concept ransomware impacted SoftBank’s NAO and Pepper robots, the same attack could be possible on almost any vulnerable robot,” added the researchers. “Robot vendors should improve security as well as the restore and update mechanisms of their robots to minimize the ransomware threat. If robot vendors don’t act quickly, ransomware attacks on robots could cripple businesses worldwide.”